Formalizing the Confluence of Orthogonal Rewriting Systems 



Ana Cristina Rocha Oliveira^ and Mauricio Ayala-Rincon* 
Grupo de Teoria da Computa9ao 
Departamentos de Matematica e Ciencia da Computagao 
Universidade de Brasilia 
Brasilia D.F., Brazil 
Email: anacrismarie@gmail.com, ayalaOunb.br 



Orthogonality is a discipline of programming that in a syntactic manner guarantees determinism of 
functional specifications. Essentially, orthogonality avoids, on the one side, the inherent ambiguity 
of non determinism, prohibiting the existence of different rules that specify the same function and 
that may apply simultaneously (non-ambiguity), and, on the other side, it eliminates the possibility 
of occurrence of repetitions of variables in the left-hand side of these rules (left linearity). In the 
theory of term rewriting systems (TRSs) determinism is captured by the well-known property of 
confluence, that basically states that whenever different computations or simplifications from a term 
are possible, the computed answers should coincide. Although the proofs are technically elaborated, 
confluence is well-known to be a consequence of orthogonality. Thus, orthogonality is an important 
mathematical discipline intrinsic to the specification of recursive functions that is naturally applied in 
functional programming and specification. Starting from a formalization of the theory of TRSs in the 
proof assistant PVS, this work describes how confluence of orthogonal TRSs has been formalized, 
based on axiomatizations of properties of rules, positions and substitutions involved in parallel steps 
of reduction, in this proof assistant. Proofs for some similar but restricted properties such as the 
property of confluence of non-ambiguous and (left and right) linear TRSs have been fully formalized. 



1 Introduction 



Termination and confluence of term rewriting systems (TRSs) are well-known undecidable properties 
that are related with termination of computer programs and determinism of their outputs. Under the 
hypothesis of termination, confluence is guaranteed by the critical pair criterion of Knuth-Bendix(-Huet) 
|[8j|9j, which establishes that whenever all critical pairs of a given terminating rewriting system are 
joinable, the system is confluent. This criterion as well as other criteria for abstract reduction systems 
such as Newman's lemma were fully formalized in the proof assistant PVS in [5,7] over the PVS theory 
trs |[6|, that is available in the NASA LaRC PVS library 1 14]. Without termination, confluence analysis 
results more complex, but several programming disciplines, from which one could remark orthogonality, 
guarantee confluence without the necessity of termination. 

In the context of the theory of recursive functions and functional programming as in the one of TRSs, 
the programming discipline of orthogonality follows two restrictions: left-linearity and non-ambiguity. 
The former restriction allows only definitions or rules in which each variable may appear only once on 
the left-hand side (Ihs, for short) of each rule; the latter restriction avoids the inclusions of definitions or 
rules that could simultaneously apply. 
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This work reports a formalization of the property of confluence of orthogonal systems in the proof 
assistant PVS. The formalization uses the PVS theory trs, but several additional notions such as the 
one of parallel rewriting relation were included in order to follow the standard inductive proof approach 
of this property, that is based on the proof of the diamond property for the parallel reduction associated 
to any orthogonal TRS as presented in In the current state of this formalization, several technical 
details that are related with properties of terms and subterms involved in one-step of parallel reduction 
are axiomatized. Additionally, the PVS theory includes a complete formalization of the confluence of 
non-ambiguous and linear TRSs. An extended version of this paper as well as the PVS development are 
available at www. mat .unb.br/~ayala/publications .html. 

Proofs of confluence of orthogonal TRSs have been known at least since Rosen's seminal study on 
Church- Rosser properties of tree manipulating systems [12] and several of them are based on a similar 
strategy through the famous Parallel Moves Lemma. Rosen's proof uses a notion of residuals of positions 
in a notation that was standardized further by Huet in [8], paper in which Huet presented a proof of 
confluence of left-linear and parallel closed TRSs that unlike Rosen's proof admits critical pairs that 
should be joinable from left to right in a sole step of parallel reduction. 

In the chapter on orthogonality of Q, the authors presented five styles of proof of confluence of 
orthogonal systems as well as an extension of the confluence result to weakly orthogonal TRSs. All the 
given styles of proof are not different in essence: the first one uses the notions of residuals and descen- 
dants via the parallel moves lemma, the second one avoids explicit mention of residuals by underlining 
reductions, the third one imports from A -calculus and combinatory logic the notion of complete develop- 
ments and the fourth style uses elementary and reduction diagrams. The fifth given proof is an inductive 
confluence proof that is the more related with our approach of formalization and follows lines of reason- 
ing based on analysis of properties of the parallel rewriting relation and the parallel moves lemma, just 
by changing the definition of parallel reduction. In this proof the parallel relation is defined from the 
rewriting relation as the reflexive relation that is compatible with substitutions and, parallely compatible 
with contexts. Thus, after proving a version of the parallel moves lemma, the diamond property of the 
parallel reduction is proved by induction on the structure of terms based on the analysis of the six pos- 
sible cases of a parallel divergence; that is, whether the divergence terms ai^e obtained from a term by 
application of two different steps of parallel reduction, by combinations of reflexivity, substitution and 
context according to the definition of the parallel relation. In this analysis, the version of the parallel 
moves lemma is applied for the case of a divergence in which on the one side a term is obtained by 
substitution and on the other side by context. 

For this formalization it has been chosen the inductive proof presented in Q because it uses the 
nowadays standard rewriting notation as the PVS theory trs does, uses a standard definition of parallel 
reduction and follows lines of reasoning that from the authors' viewpoint are of great didactical interest. 

2 Specification of basic Notions and Definitions 

Standard notation of of the theory of rewriting is used as in |[3| or Q. One says that a rewriting relation 

is confluent whenever (*^ o — ;.*) C (— )■* o *^), 

triangle-joinable if (-^ o — )>) C (— )■ o "■^) U (— o ■^), 

has the diamond property if o — ^) C (— ^ o 

A well-defined set of terms is built from a given signature and an enumerable set of variables. A rule 
e = {l,r) is an ordered pair of terms such that the first one cannot be a variable and all variables in the 
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second one occur in the first one. A TRS is given as a set of rules. The reduction relation — induced by 
a TRS E is built as follows: a term t reduces to to (denoted as ? — to) if there are a position tt of a rule 
e & E and a substitution a such that: t\,i = lhs{e)a, i.e., the subterm of t at position n is the Ihs of the 
rule e instantiated by the substitution o; and to is obtained from t, by replacing the subterm at position 
TT by the corresponding instantiation of the right-hand side (rhs, for short) of the rule, that is rhs{e)o. 
The only change done in order to obtain to from t, occurs at position n. All this is summarized by the 
following notation: f = t[n -(r- lhs{e)o\ — t[n rhs{e)o] = ?o, where, in general, M[7r ^ v] 
denotes the term obtained from u by replacing the subterm at position ;r of m by the term v. 

Given terms t\ and t2, one says that ti reduces in parallel to t2, denoted as t\ t2, whenever there 
exist finite sequences 

n := 7ri,...,7r„; 
£:= C7i,...,(j„ and 
r:=ei,...,en 

of parallel positions of ti, substitutions and rules in E, respectively, such that: 

ti I = lhs{ei)(7i, V? = 1 , . . . ,n, 

i.e., the subterm of ti at position ti, is the Ihs of the rule instantiated by the substitution a,-; and /2 is 
obtained from ti, by replacing all subterms at positions in n as 

tiUi = rhs{ei)(Ji, \li = \,...,n, 

i.e., for all i, the subterm at position ni, that is the C7,- instance of the Ihs of the rule e,-, lhs{ei)Oi, is replaced 
by the a, instance of the rhs of the rule, rhs{ei)Oi. The only changes done in order to obtain t2 from ti, 
occur at the positions in n. All this is summarized by the following notation: 

t\ = ?l [;ri /l CTi] . . . [iTn ^ ln(yn] h [tTi nd] . . . [iTn ^ r„(J„] = t2, 

where, /,■ = lhs{ei) and r,- = rhs{ei), for \ <i<n. 

The PVS theory trs includes all necessary basic notions and properties to formalize elaborated the- 
orems of the theory of rewriting such as the one of confluence of orthogonal systems, trs includes 
specifications and formalizations of the algebra of terms, subterms and positions, properties of abstract 
reduction systems, confluence and termination, among others. The current development of the PVS the- 
ory called orthogonality deals specifically with orthogonality related notions and properties. Among 
the definitions specified inside the theory orthogonality one could mention the basic boolean ones 
Usted below, where E is a set of rewriting rules (equations). 

- Ambiguous? (E) : tool = EXISTS (tl, t2) : CP?(E) (tl,t2) 

- linear?(t): bool = FORALL (x | member (x,Vars(t))) : CardCposition] (Pos_var(t ,x) ) = 1 

- Right.Linear? (E) : bool = FORALL (el I memberCel, E)) : linear? (rhs (el)) 

- Left_Linear?(E) : bool = FORALL (el I member(el, E)) : linear? (Ihs (el) ) 

- Linear?(E): bool = Lef t_Linear?(E) & Right .Linear? (E) 



- Orthogonal? (E) : bool = Lef t.Linear? (E) & NOT Ambiguous? (E) 
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In the specification of Ambiguous? (E) , CP? (E) (tl ,t2) specifies that tl and t2 are critical pairs 
of the rewriting system E. A term t is linear? whenever, each variable x in t occurs only once. The 
expressions Right_Linear? (E) and Lef t_Linear? (E) indicate respectively that the rhs and the Ihs of 
all rules in E are linear. The predicate Linear? specifies linearity of sets of rewriting rules. Finally, 
Orthogonal? specifies orthogonality of TRSs. 

More elaborated auxiliary definitions are specified as: 

- local_joinability_triangle?(R) : bool = FORALL(t, tl, t2) : R(t, tl) & R(t, t2) => 

EXISTS s : (RC(R)(tl, s) & R(t2, s)) OR (R(tl, s) & RC(R)(t2, s)) 

- replaceTermCs : term, t: term, (p: positions?(s) ) ) : RECURSIVE term = 

IF length(p) = THEN t 

ELSE LET St = args(s), i = first(p), q = rest(p), 

rst = replace (replaceTerm(st (i-1) , t, q) , st,i-l) IN app(f(s), rst) 
ENDIF MEASURE length (p) 

- reduction?(E) (s,t) : bool = EXISTS ( (e I memberCe, E)), sigma, (p: positions?(s))) : 

subtermOFCs, p) = ext (sigma) (Ihs (e)) & t = replaceTerm(s , ext (sigma) (rhs (e)) , p) 

- replace_par_pos(s, (fsp : SPP(s)), fse I fse'length = fsp'length, 

fss I fss' length = fsp'length) RECURSIVE term = 
IF length(fsp) = THEN s 

ELSE replace_par_pos(replaceTerm(s, ext (f ss (0) ) (rhs (f se(0) ) ) , 

fsp(O)), rest (fsp), rest (fse), rest (fss)) 

ENDIF MEASURE length(fsp) 

- parallel_reduction?(E) (s,t) : bool = 

EXISTS (fsp: SPP(s), fse I (FORALL (i : below [fse ' length] ) : member(f se(i) , E)), fss) : 
fsp'length = fse'length & fsp'length = fss 'length 

& (FORALL (i : below [fsp 'length] ) : subtermOF(s, fsp(i)) = ext(f ss(i)) (lhs(fse(i)))) 
& t = replace_par_pos(s, fsp, fse, fss) 

RC (R) , that is used in local.j oinability_triangle?, specifies the reflexive closure of the rewrit- 
ing relation R. For a functional term s, f (s) and args(s) compute the head function symbol of s 
and its arguments respectively; also, app (f (s) , args (s) ) builds the functional term s. The function 
replace with arguments (t , st , i) replaces the (i+1)''' term of the sequence of arguments st by t. 
The recursive function replaceTerm replaces a subterm of a term: it gives as output for the input triplet 
(s , t , p) the term obtained from s by replacing the subterm at position p of s by t, that in standard 
rewriting notation is written ass[p<^t]. Similarly, replace.pcir.pos specifies the parallel replacements 
necessary in one step of parallel reduction. The specification of the relation of parallel reduction is given 
by parallel_reduction?, in which the variables f sp , fse and fss are the sequences of parallel po- 
sitions, rewrite rules and substitutions, that were denoted respectively as n,r and Z, in the definition of 
the parallel reduction relation. 

The main lemmas and theorems specified and formalized about orthogonality are presented be- 
low. All presented lemmas were formalized. The lemma Linear_and_Non_ainbiguous_implies_ 
confluent is a weaker version of the lemma of confluence of Orthogonal TRSs that is the last one. 

- Linear_and_Non_ambiguous_implies_triangle : LEMMA FORALL (E) : 

Linear?(E) ft NOT Ambiguous? (E) => local_joinability_triangle? (reduction? (E) ) 

- One_side_diamond_implies_conf lent : LEMMA local_joinability_triangle?(R) => conf luent?(R) 

- Linear_and_Non_ambiguous_implies_conf luent : LEMMA 
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FORALL (E) : ( (Linear? (E) & NOT Ambiguous? (E) ) => confluent? (reduction? (E))) 

- parallel_reduction: LEMMA 

(reduction? (E) (tl, t2) => parallel_reduction?(E) (tl, t2)) 
& (parallel_reduction?(E) (tl, t2) => RTC (reduction? (E) ) (tl , t2)) 

- pEirallel_reduction_is_DP : LEMMA Orthogonal? (E) => diamond_property?(parallel_reduction? (E) ) 

- Orthogonal_implies_conf luent : LEMMA 

FORALL (E : Orthogonal) : LET RRE = reduction? (E) IN confluent? (RRE) 

RTC (R) , that is used in parallel_reduction, specifies the reflexive transitive closure of the rewrit- 
ing relation R. 

The lemma Linear _and_Non_ambiguous_implies_conf luent is proved in a standard manner. In 
fact, since, in addition to orthogonality restrictions, variables cannot appear repeatedly in the rhs of the 
rules this proof does not need elaborated manipulation of reductions and instantiations in order to build 
the term of parallel joinability for divergence terms. 

By the specification of these lemmas, one can observe that Drthogonal_implies_conf luent, that 
is the main lemma, depends on the formalization of parallel_reduction and parallel_reduction_ 
is_DP . The former lemma is relatively simple and the latter is the crucial one. 

In order to classify overlaps in a parallel divergence from a term in which, on the one side, a parallel 
reduction is applied at positions ITi and, on the other side, at positions 112, positions involved in a parallel 
divergence are classified through the following specified recursive relations: 

-sub_pos((f sp : PP) , p : position): RECURSIVE finseq [position] = 

IF length(fsp) = THEN empty_seq [position] 

ELSIF p <= fsp(O) & p /= fsp(O) THEN add_f irst (f sp(0) , sub_pos(rest(f sp) , p) ) 

ELSE sub_pos (rest (f sp) , p) 
ENDIF MEASURE length(fsp) 

-Pos_Over((f spl : PP) , (fsp2 : PP)): RECURSIVE finseq [position] = 
IF length(fspl) = THEN empty_seq [position] 
ELSE (IF ( length(sub_pos(fsp2, fspl(O))) > 
OR PP?(add_first(fspl(0) , fsp2))) 
THEN add_f irst (f spl (0) , Pos.Over (rest (f spl) , fsp2)) 
ELSE Pos_Over (rest (f spl) , fsp2) ENDIF) 
ENDIF MEASURE length(fspl) 

sub_pos(n, n) builds the subsequence of positions of the sequence of parallel positions n that are 
strictly below the position n; that is, 7c' eH such that tt is a prefix of n', as usual denoted as tt < k'. 
Pos_Over(ni ,112) builds the subsequence of positions from ITi that are parallel to all positions in 112 or 
that have positions in the sequence 112 below them. In this specification, PP? is a predicate for the type 
PP of sequences of parallel positions. These functions are crucial in order to build the term of one-step 
parallel joinability, necessary in the proof of lemma parallel_reduction_is_DP. 

Confluence of orthogonal TRSs is proved according to the following sketch: Firstly, it is proved 
-^C^C. -^*, from which one concludes that ^* =^*. The lemma parallel-reduction corresponds 
to the latter inclusion. Then, it is proved that for orthogonal systems, ^ has the diamond property, 
which corresponds to the lemma parallel_reduction_is_DP. For an analytical proof see the extended 
version of this paper. 
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3 Formalization of Confluence of Non Ambiguous and Linear TRSs 

Computational formalizations do not admit mistakes and, in particular, those specifications based on 
rewriting rules as well as on recursive functional definitions can profit from a formalization of conflu- 
ence of orthogonality. Several works report efforts on specification of different computational objects 
(software and hardware) through TRSs (e.g., |T||2||T0j[ri |). Consequently, it is relevant to have robust 
and as complete as possible libraries for the theory of abstract reduction systems and TRSs in different 
proof assistants. To construct the joinability term for the lemma parallel_reduction_is_DP, one has 
to consider several cases from which one is explained in the sequel. 

Suppose, one has a parallel divergence from term ti ^ s ^ ti at positions ITi and Yli with respective 
associated rules and substitutions F,- and / G { 1 , 2}. Let 71 G 112 and Z — >■ r and a denote the associated 
rule and substitution, respectively. sub_pos(ni,7r) builds the subsequence Tljc of positions in ITi below 
71. Let Ylji = {tti , . . . Ttic}. For I < j < k, let gj — )• dj and Oj denote the rule and substitution associated 
with position Tij. Then, by non-ambiguity, for all I < j <k, there exist n'j and n'J such that ^^'j^j = ^j, 
being n'j a variable position of the Ihs of the rule I ^ r. 

Let o' be the substitution obtained from a modifying all variables according to substitutions Oj, 
then, the divergence at position 7i, that t2\ji ^ s\j^ ^ t\\Ti can be joined in one step of parallel reduction 
a& t2\n = ro ^ ro' ^ la' = ti\„. The construction of a' is one of the most elaborated steps in this 
formalization. Namely, suppose x is a variable occurring in the Ihs of the rule / — )• r only at position 
n' (left-linearity guarantees unicity of n'); if 7i' ^ Tij, for all I < j < k, then xa' := xa. Otherwise, let 
{j'l, . . . , j„,} be the set of indices such that n' = Tij^, for 1 < / < m and 1 < 7/ < k. Since Ylj^ are parallel 
positions, {Tij' , . . . Tij } are parallel positions of xa. By applying the rules gji — dji with substitutions 
Oj,, for 1 < / < m, one reduces in parallel xa ^ xa[7ij^ ^ dj^Gj^] . . . [tt^^ ^ dj^Oj^^]. Thus, in this case, 
xa' is defined as xa[n'J^ ^ dj^Oj,] . . . [n'l ^ dj^^ajj. 

The polymorphic function choose.seq below was specified to construct associated subsequences 
of positions, rules or substitutions. choose_seq(n;r,ni,Fi) and choose_seq(n;i:,ni,£i) give re- 
spectively the subsequences of rules and substitutions associated with Yl^. In particular, choose_seq 
can be used in order to choose the sequence of terms, instantiations of rhs's of rules, that should be 
changed in order to obtain xa', for a variable x occurring at position nn'. Namely, this is done calUng 
choose_seq(sub_pos (FIi, TTTi') , Ili,{diGi ,dnOn}), where the sequence of terms {d\ai, . . .,dnOn} 
is straightforwardly built from the sequences of rules and substitutions associated with FIi, i.e., Fi = 
{gi -^du---,gn ^d„} and El = {ai,...,a„}. 

choose_seq(seq:PP, seql:PP, (seq2 I seql ' length=seq2' length) ) : RECURSIVE finseq[T] = 
IF length (seq)=0 THEN empty_seq 

ELSIF index (seql , seq(O) ) < seql 'length 

THEN add_fir St (seq2( index (seql , seq(O) ) ) , choose_seq(rest (seq) , seql , seq2) ) 
ELSE choose_seq(rest (seq) ,seql,seq2) 
ENDIF MEASURE(length(seq)) 

The function index(n, n) above returns the index of the position 7i in the sequence n, which is less 
than the length of n, if n occurs indeed in n. Otherwise, it returns the length of n. 

The construction of a' requires the specification of two recursive functions SIGMA and SIGMAP. 

SIGMA(sigma, x, fst, (f sp : SPP(sigma(x) ) I length(f sp)=length(f st) ) ) (y : (V) ) : term = 
IF length(f st)=0 OR y/=x 
THEN sigma(y) 

ELSE replace_terms (sigma(x) ,fst,f sp) 
ENDIF 
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SIGMA has as arguments a, x and the associated subsequences of substituting terms and positions 
relative to the necessary update of xa. One has, SIGMA(a,x, {dj^ Oj^ ,(ij„^ay„,}, {Tij' , . . . , Tlj^J) applied 
to X will give xa', that is xa[7i'J^ ^ dj^ ay J . . . [n'l ^ rj^OjJ. 

The construction of the whole substitution a', is done through the function SIGMAP below, that ade- 
quately calls the function SIGMA. SIGMAP(a, {xi , . . . ,Xij},{7i7i[ 7in'^},{diai , . . . ,(i„a„}, {tti , . . . , 7r„}), 
where {xi , . . . ,Xq} and {7i7i[ Tin'^} are the sequence of variables at Ihs of the rule / — )• r that should 
change, assuming la occurs at position n, and the associated sequence of positions of these variables 
in the whole term fi, respectively. For a variable y G {xi, . . . ,Xq}, say y = x,., SIGMAP calls the function 
SIGMA giving as input the sequence of terms to be substituted and their associated positions in ya. This is 
done through application of the functions choose_seq and complement_pos. The former one, is called 
as choose_seq({7r7r^7r"y^,...,7r7r,'7r"y^^_ },{7ri,...,7r„},{(3fiai,...,(3f„a„}), which gives the sequence of 
substituting terms. The latter one is called as complement _pos(;r7r^, {;ri , . . . , 7r„}), which gives as result 
the associated positions inside la, that is {^rji ' • • ■ ' Kj,„ }■ 

SIGMAP (sigma.fsv, (f spl : PP I fspl ' length=fsv' length) , 

fst, (fsp2:PP If sp2'length=f St 'length) ) (y: (V)) : RECURSIVE term= 
IF lengthCf sv)=0 
THEN sigma(y) 

ELSIF y=fsv'seq(0) k SP? (sigma(f sv' seq(O) ) ) (complement_pos (f spl ' seq(O) ,f sp2) ) 

THEN SIGMA(sigma,f sv' seq(O) , choose_seq(sub_pos (f sp2 ,f spl ' seq(O) ) ,f sp2,f st) , 

complement _pos (fspl'seq(O) ,f sp2) ) (y) 
ELSE SIGMAP(sigma,rest(f sv) ,rest(fspl) ,f st,fsp2) (y) 
ENDIF MEASURE(length(fsv)) 

A small number of lemmas were formalized in order to prove soundness of this definition. Namely, 
the fact that it is in fact a substitution is axiomatized. Among these lemmas, as a matter of illustration, it 
is necessary to prove that the subsequences of terms and positions given as third and second parameters 
of the call of SIGMA have the same length. 

This is stated as the following lemma easily formalized by induction on the length of the finite 
sequences. In fact, this lemma says that, if one compares a position p with a sequence of parallel positions 
f sp, the complementary positions are obtained from the same positions that are under p. 

complement_pos_preserv_sub_pos_lengthl : LEMMA 

PP?(fsp) => complement_pos(p, fsp) 'length = sub_pos(fsp, p) 'length 

Currently, the whole PVS orthogonal development consist of among 1.300 lines of specification 
and 46.000 lines of proofs. Indeed, there are 40 definitions, 84 proved lemmas and 8 axioms. 

4 Related work and Conclusions 

PVS specifications of non trivial notions and formalizations of results of the theory of term rewriting 
systems were presented, that are related with the properties of the parallel rewriting reduction and or- 
thogonal rewriting systems. The PVS theory for orthogonal TRSs enriches the PVS theory trs for 
TRSs introduced in |j6| and available in p4) . The formalization of these properties of orthogonal TRSs 
are close to the analytical inductive proofs presented in textbooks such as |3| and p] that in essence are 
based in the well-known parallel moves lemma which projects parallel reductions over a simple rewriting 
reduction. These formalizations provide additional evidence of the appropriateness of both the higher- 
order specification language and the proof engine of PVS to deal in a natural way with specification of 
rewriting notions and properties and their formalizations. This consequently implies the good support of 



152 



On Formalizing Confluence of Orthogonal Systems 



PVS to deal with soundness and completeness and integrity constraints of specifications of computational 
objects specified through rewriting rules. 

In its current status, the theory for orthogonal TRSs includes a complete formalization of conflu- 
ence of non-ambiguous and linear TRSs as well as a proof of confluence of orthogonal TRSs by using 
standard definitions and proof ideas shown in text books that ease the understanding of them. The last 
theorem depends on both the lemma of equivalence of the reflexive-transitive closure of the rewriting and 
the parallel reduction relations and of the lemma of diamond property of the parallel reduction relation 
of orthogonal TRSs. The latter lemma is formalized axiomatizing some technical properties of parallel 
positions, rules and substitutions involved in one-step of parallel reduction. In [ 13] the criterion of weak 
orthogonality was integrated to ensure confluence applying the certification tool CeTA. Unlike orthog- 
onality, weak orthogonality allows for trivial critical pairs. To the best of our knowledge any complete 
formalization of the property of confluence of orthogonal TRSs is available in any proof assistant. 
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